Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

July 5, 2024, 4:20 p.m.

Description

In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the AsyncRAT trojan. The malicious scripts executed exhibited techniques like delaying tactics and conditional execution to evade detection by security software.

Date

  • Created: July 5, 2024, 2:48 p.m.
  • Published: July 5, 2024, 2:48 p.m.
  • Modified: July 5, 2024, 4:20 p.m.

Indicators

  • fd0d3c38d2bbb517a8e74d8879b73ba57a3832a450abbe826803ceef5726a14a
  • f6e41c3092c5e1167d95330a2a482f695598c31ad79963c59b07ab79dbfb87f7
  • fa55401d78f8eabf5dff1b903a9f072b8324851286f67c0aca5b3af931bb4877
  • fb5aac98c73fa13b244d763b495701ab2eb44815dbd0019531fe081536ef9b9a
  • f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
  • f42c7da665f73fdf6e86f1ebf1054af265541f534912599d27b6dc671e9c8375
  • ea28712cd43fbad5b018a6d19594a5b8a6770965a0221c19f1fb8ebf459d2b31
  • e5d37c781676a67bacc070088dd8d14f70bf74827c3d788eb9602884c38b7c19
  • e597fd01bd50700473316d7bcbfe0f6b43d10842d45eb8598bd35438831ae897
  • e535a00f01748954152e16a28ac1dabeb056d097f4e98aa59f07b9a6f0e9434e
  • e522531d2cd8fca257452945e0c00a1a04a2d132cef848aef41a1a2e1ef2d8b4
  • e3ad352e1c9a3a1842c17262d626bb95f9ec3b199cacd4a8011e954a1473843f
  • e0df0ad47456b7d8a0c34645a7c9990e99ff6fe5d0c96ca55a406b34d5ae91a4
  • df2e7c2aabe2f6889589aef8f6e8c604207aff07f121f9e6d82a309f1cfd3079
  • d9c038ec71396e395fbd88b384e3335f3afb94bdf2371fb0713bfe963f342185
  • d38bbb755ba411e2457833b700e4d3fe4d19acf03feb8f59ac29f804b8a2e938
  • ce87ff0b32de840a2499d82260bdc83805ce24b9373e190314e5639b0dd034b3
  • c30702ce7c9931b5a9525a2fef0018ad9a4b314668b72339a4914b0f1783ce9e
  • b96bd9decf14957fcb03ff4ad753735d00164da2d02ff694607c643531b626cd
  • b4e71358c183707b27361219af2146f7b72042f56cec7ed8f917795a76b2296f
  • b31c484cabd6030c919fe519a7697736485f0004c79dbd081c9fb236fc18503f
  • af962298ee5c9fb41cf82d00dc919bfd6e514bd6aca71ae4d674b259eee0fc7c
  • abc884a816b3c414ff9d15c1152cf5e5c2d3e670ee6dcee3d052d08056f3ac74
  • a4e2bbb403f5bcf7709456d412716323022039b87a79c4fe1f8c726269ca236d
  • ab6979ed8daf3875cda868be8c794035567920f980d491b647efcc922e6375b7
  • a0cdda26ad1452391df07f904ca5784345b2199308664cf613b09c6f1e24af17
  • 9ae6bea13bbe186dde5a380c94d309c56aba8c055b0f540eadf9c988b914b729
  • 9e7c5a22db466c5c093d9eb91b79fa0c17f4491667aac585b7b8d60a5b0976a0
  • 98f219e6becd0f0501256146bd7bfc6d2f0ce28003c048c821fcb7501686ee38
  • 9243236bd249560e2a626171fe17771656d02418efa6b6ac3c3823c6c747e6a8
  • 95692e64e52f38f3285fc1a071691551aa14d01e4c5867a4c34b60e003d0da61
  • 8ab5db97785ca6fe0213e779b4a3960712bf9202dcfe4ab6ce0add5a2531d862
  • 7ccab1d1207272966907184d73c655a0035451f9bc7f4d602e069312ac819244
  • 717c083156d07b631e42e3d9f4d175c59d206f7b3b04add1f761b43fbdf41cee
  • 784b8907059b57709fbcfc8e4a97d914a181a8d6f955202ce4815abeac85f033
  • 6f1905e804200c694582758c63244fd966e807eeee443bd0d40bebd5072045a5
  • 6bfea924734c7ccdf2822729d72d78a5174011768de0cd2576643e99832f8452
  • 6ed34a18930c558f946a17f2d0de649413b7441c96458b762ea588d185df797c
  • 6a6226eb265a361098bb8fc947448f831ee9549a84208033045e2cbdc3b0ba34
  • 62d76b7498756fcbc87629cb0fa001e8e1272883e434054a5356901ac2699aec
  • 6513878c1be24fe2f041008a51754071fa90fd48fd9de65290a6d01fdcd7efa6
  • 5f27802fabf7e1921c04359bfa48cfc96c18514d3f7a32a39fc80566e2e18008
  • 5eb2ebe9104e6ef814851ccfb6493408a3f02fa7b2a0d06da4e7b678f1f93833
  • 5d45100f7f80903ea2031dbd4c546bee6c12a8a98d6f27ac5d741a8886c81b83
  • 5aed97c59a0286107312dab7982983d4bf638eb1a999ac86c1056114fd4f12e0
  • 597a55ac25fc4ca4d5fcba33bbd88f3b1fc47ace41e89daf394f76b0841d0979
  • 59dea613bbff003ad139da01c6243f3d8f6cd31f09c192b38c8beb0c6ade8acc
  • 579daf4b58d3f1b9903dad053ccdbbf05f445cb70339996ce90f477958035e68
  • 568be120305376a9b9d9dfaacccdaf8788883b5c544a330294d4671c57796f6d
  • 55b588463e9af8c4e4d2dbbe608f6e47e8987a2c32b5aa69c6a19ddc3fc25a4c
  • 533ffd45167d8029a62cd54986bbf933199676dc731898083f1287f8fe65451a
  • 526abb1dd44dad419d000482a5f92cfc4d290673aa8dc7c60ca2017a4fb5de88
  • 50450ca18d815947ba511ba18d18261c6206254891b25734824caa68a602c4d0
  • 47bc65e3d83d26b419535d9ecd9c14ea2a66554eca0222b30356105abcd62ed0
  • 3f43b6029cb0c42b95c9205356746ce72db43ed82163f6b176a6f280b2eae98b
  • 3d3f9a8fdc25492e1f797d7ea40c0afdef8aafb65c3d7248d3d76f4817fb66d4
  • 32ccda7747cd105f270caee6494a453b4a6614f332f5c23193d8ad8fcb9ed939
  • 3285c76f50ce1bd5985e3201a7e85695bd94fc595fc3da70b71f7d87fc4f69c2
  • 31a81bddfce4cf7cc065e451c9445372a55854dffca0fc520ae81f9bfa4f22a0
  • 2e370ce4d05ab6154489ba3a9ed75e7a6890c5b5b7974a687f928683a5bda221
  • 2da256191573d99e7c36606c6748ea84d8665cc2f8000bd0d2fadbd66ab3004a
  • 2ac4277b12a5091ff5e041989d932cff2b0b69a1d31a7de6d74984d5fd725641
  • 279241ff7fd78e4152b35cd2f1e673994e7b2a02ded4edd31ef152f95d9bc969
  • 249edf69d999163b1dbc9923ff2c8a5903757ffc9b027461f03047b171afe1d1
  • 236c5323d8aeb74d97f0bd5d54d8c774d07ff26f6befbc7f155b5349d0ba604a
  • 22ccc6e138ff12b9c7738caf64c25bdf00b478b1b2e523daf25be3fca196f984
  • 1c31231b53b0baa178c93c26bec5039237329e9f814b61954a475d6052528c43
  • 0294ac2898d8db407f961eed90af5f63f074f7c37c5f803b707b56b81740a4b6
  • 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 1.13.16.45
  • 71.162.181.51
  • uipwbmldpswkgwle.site
  • lomklauekabjikaiwoge.com
  • aviranpreschool.com

Attack Patterns

  • AsyncRAT
  • T1053.005
  • T1490
  • T1059.005
  • T1027.002
  • T1204.001
  • T1059.003
  • T1059.001
  • T1027.005
  • T1059.007
  • T1059.004
  • T1204.002
  • T1055
  • T1219
  • T1204
  • T1027
  • T1053
  • T1562
  • T1090
  • T1059